wireshark: yet another pile of dissector flaws

Posted Oct 6, 2014 20:41 UTC (Mon) by malor (guest, #2973)
In reply to: wireshark: yet another pile of dissector flaws by bronson
Parent article: wireshark: yet another pile of dissector flaws

>Got any evidence to back up this claim? Stuxnet-scale scenarios are not as common as you imply.

Actually, I'd say the burden of proof is on you, since I never mentioned anything about Stuxnet scale. What I said is that targeted attacks definitely get used. Can you prove otherwise?

>Again, got evidence of anyone on the Wireshark team saying this? Lots of apps say to not run as root.

Sure, but *when that app needs root to run*, then that's a completely bogus restriction. "Our software is safe to use, as long as you don't actually use it in the major mode for which it was designed."

It's a weak, lame cop-out.

If you're going to be releasing code that needs root to run, then you should absolutely err on the side of not including contributed code you haven't audited very carefully.

Plus, for god's sake, it's a program that's designed to intercept and analyze unknown data from unknown sources. Extreme caution should be the order of the day with any program that can be exposed to hostile traffic... and wireshark is one of the first tools that often get deployed to analyze that type of traffic. It's supposedly one of the first responders to security problems; there aren't that many programs where security matters more.

As is, wireshark is like a firetruck that explodes if an ember falls on it.

And, as raven points out, particularly with the typically dismal state of local security in the Linux kernel, even if you rig up the lame "capture as root, analyze on another computer" scenario that they apparently think is an okay prescription for their security problems, getting any account at all on a network engineer's workstation is very dangerous. Once you have an account, getting root is frequently quite easy.

to post comments

wireshark: yet another pile of dissector flaws

Posted Oct 6, 2014 22:15 UTC (Mon) by bronson (subscriber, #4806) [Link] (3 responses)

No it does NOT need root to run. Whenever I used it, I pulled dumps from some virtual interface who-knows-where, and then ran it -- as my user -- over the dumpfiles.

If you're running it as root, presumably you're doing it on a private network anyway, and therefore you don't have much to worry about or, at the very least, you know what threats you're facing.

> As is, wireshark is like a firetruck that explodes if an ember falls on it.

It seems to me like you're being a firetruck that explodes if an ember falls on it? Lots of vulnerabilities does not imply lots of danger.

Clearly you feel very strongly. Maybe you could direct some of that energy into strengthening the dissectors? It's an amazingly huge coding problem and can use all the man hours it can.

wireshark: yet another pile of dissector flaws

Posted Oct 19, 2014 2:42 UTC (Sun) by ccurtis (guest, #49713) [Link] (2 responses)

No it does NOT need root to run. Whenever I used it, I pulled dumps from some virtual interface who-knows-where, and then ran it -- as my user -- over the dumpfiles.

I don't understand your argument. Instead of exploiting root, now it exploits your user account. This makes you feel better for some reason?

wireshark: yet another pile of dissector flaws

Posted Oct 19, 2014 3:05 UTC (Sun) by rahulsundaram (subscriber, #21946) [Link]

Why wouldn't it?

wireshark: yet another pile of dissector flaws

Posted Oct 19, 2014 3:23 UTC (Sun) by pizza (subscriber, #46) [Link]

> I don't understand your argument. Instead of exploiting root, now it exploits your user account. This makes you feel better for some reason?

Serious question. Just what, exactly, is the threat vector here?

I'm not saying that it's impossible to exploit, just that it would take a seriously motivated attacker specifically targeting you for it to be worth their effort -- and that's just for a maliciously crafted capture file. If the attack involved live packet injection into your local network segment, you've already lost.

...Maybe I lack imagination or paranoia, but the only scenarios I can come up with make Schneiner's Movie Plot Challenges look downright plausible in comparison.

wireshark: yet another pile of dissector flaws

Posted Oct 6, 2014 22:53 UTC (Mon) by bronson (subscriber, #4806) [Link]

Sorry, missed this.

> Actually, I'd say the burden of proof is on you, since I never mentioned anything about Stuxnet scale. What I said is that targeted attacks definitely get used. Can you prove otherwise?

Sure. As far as I know, targeted attacks have not successfully been used against Wireshark yet. You're the one saying it's such a big problem so maybe post some evidence demonstrating why?

As pizza said, it would be really REALLY difficult to target Wireshark. Not impossible, just requiring an unbelievable amount of preparation. I shortened that concept to to "Stuxnet-scale" but you can insert whatever APT name you want.

Yes, I agree, it's a problem. However, everything is a trade-off, and this is how the devs have chosen to proceed. If Wireshark scares you so deeply, don't worry: it's not installed by default.

wireshark: yet another pile of dissector flaws

Posted Oct 7, 2014 0:00 UTC (Tue) by pizza (subscriber, #46) [Link]

> If you're going to be releasing code that needs root to run, then you should absolutely err on the side of not including contributed code you haven't audited very carefully.

I suggest you audit your understanding; wireshark has, for a very long time now, separated the *capture* component (which requires elevated privileges for some sorts of capture operations) from the *decoding* component into separate processes.

> It's supposedly one of the first responders to security problems; there aren't that many programs where security matters more.

By all means help them out, they're always in need of help. Or are you volunteering additional work on others?